HiProSUN High Protein SunFlower Extraction Meal GmbH and its affiliated companies (hereinafter collectively referred to as “Company“, “we” or “us“) take the protection of personal data seriously.
The EU General Data Protection Regulation (EU) 2016/679, hereinafter referred to as “GDPR”, has imposed obligations on us to protect personal data, which we must ensure towards a data subject (hereinafter referred to as “user“, “data subject“, “they” or “them“).
Insofar as we alone or jointly with others have to decide on the purpose and means of data processing, we are above all obliged to inform the user transparently about the type, scope, purpose, duration and legal basis of the processing.
With this data protection notice, we therefore inform them about the way in which their personal data is processed by our company.
A. General
(1) Definitions
For the purposes of the GDPR, in this privacy notice the term:
– “personal data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
– “processing” (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
– “controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law;
– “third party” (Art. 4 No. 10 GDPR) means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor;
– “processor” (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
– “consent” (Art. 4 No. 11 GDPR) means any freely given specific, informed and unambiguous indication of the data subject’s wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
(2) Name and address of the data controller
The controller for the processing of your personal data (Art. 4 No. 7 GDPR) is:
HiProSUN High Protein SunFlower Extraction Meal GmbH
Käthe-Kollwitz-Straße 6
D-91154 Roth
Federal Republic of Germany
Phone: +49 9171 8399837
E-mail: [email protected]
For further information on our company, please refer to the details in the imprint on our website.
You can use these contact details for questions regarding data protection.
There is currently no obligation to appoint a company data protection officer in our company.
(3) Legal basis for data processing
The processing of personal data is only lawfully permitted if it falls under at least one of the following justifications:
– “consent” (Art. 6 para. 1 sent. 1 lit. a. GDPR): if the data subject unambiguously expresses in an informed manner, by means of a declaration or another unambiguously confirmed action, that he or she consents to the processing of his or her personal data for one or more specific purposes; or
– “performance of a contract” or “pre-contractual measure” (Art. 6 para. 1 sent. 1 lit. b. GDPR): if the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures which are carried out at the request of the data subject; or
– “legal obligation” (Art. 6 para. 1 sent. 1 lit. c GDPR): if the processing is necessary for compliance with a legal obligation to which the controller is subject; this is the case, for example, in the event of a legal obligation to keep records; or
– “safeguarding vital interests” (Art. 6 para. 1 sent. 1 lit. d GDPR): if the processing is necessary to protect vital interests of the data subject or another natural person; or
– “exercise of public interest, exercise of official authority” (Art. 6 para. 1 sent. 1 lit. e GDPR): if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
– “legitimate interests” (Art. 6 para. 1 sent. 1 lit. f GDPR): where processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a minor child.
The storage of information in the end-user’s terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information of the end user and the consent must be provided in accordance with Regulation (EU) 2016/679, i.e. by consent of the end user (Section 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 sent. 1 lit. a GDPR).
Consent is not required,
– if the sole purpose of storing information in the end-user’s terminal equipment or the sole purpose of accessing information already stored in the end-user’s terminal equipment is to carry out the transmission of a communication via a public telecommunications network (Section 25 para. 2 No. 1 TDDDG) or
– if the storage of information in the end user’s terminal equipment or the access to information already stored in the end user’s terminal equipment is absolutely necessary in order for the provider of a telemedia service/digital services to be able to provide a telemedia service/digital services expressly requested by the user (Section 25 para. 2 no. 2 TDDDG).
We indicate the applicable legal basis below, whereby the processing may also be based on several legal bases.
(4) Data deletion and storage period
In the context of our processing operations, we indicate in each case for how long the data will be stored by us and when it will be deleted. If no explicit storage period is specified, your personal data will be deleted or blocked as soon as the purpose has been achieved or the legal basis for the storage has ceased to apply. Your data will only be stored on our servers in Germany, subject to the provisions in A. (6) and A. (7).
However, storage beyond the specified period may take place in the event of a (threatened) legal dispute or in the context of other proceedings or may be necessary on a legal basis (legal obligation to retain data, e.g. in accordance with Section 257 of the German Commercial Code (HGB), Section 147 of the German Tax Code (AO)). In this case (legal basis), the data will be blocked or deleted after the legally prescribed storage period has expired. However, this does not apply if further storage by us is necessary or required on the basis of another legal provision.
(5) Data security
In order to protect your data against accidental or intentional manipulation, loss, destruction or against unauthorised access by third parties, we use appropriate technical and organisational measures, taking into account the state of the art, technological advancements, the costs of implementation, the circumstances, scope and purpose of the processing as well as the potential risk and consequences of a data breach for the data subject.
(6) Cooperation with processors
As part of our business operations, we use external domestic and foreign service providers, just like any other company. Typical use cases are the use of a telecommunications provider, an IT company or suppliers and logistics service providers). These service providers, which are active within the scope of our business operations, only act on our instructions and have been contractually obligated to comply with the provisions of data protection law in accordance with Art. 28 GDPR.
If personal data is passed on to affiliated companies or from affiliated companies to us, this is based in each case on a commissioned data relationship.
(7) Conditions for the transfer of personal data to third countries
Personal data may also be passed on or disclosed by us to third parties located outside the European Economic Area (EEA) (so-called third countries) within the scope of the business relationship. This transfer or disclosure takes place exclusively for the fulfilment of contractual and business obligations or for the maintenance of the business relationship with us. The legal basis for this is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. GDPR.
Some of these third countries have a level of data protection that is comparable to the level of data protection in the EEA. The European Commission has determined the comparability through corresponding decisions. A list of these countries and a copy of these decisions are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
Other third countries may have no or no consistently high level of data protection due to a lack of legal provisions. In these cases, we ensure sufficient data protection through binding corporate regulations and contractual standard clauses for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR, certifications and codes of conduct. The contractual standard clauses used are available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0915.
(8) No automated decision making (including profiling)
We do not use automated decision-making (including profiling) and we do not intend to use your personal data in this way.
(9) No obligation to provide personal data
The conclusion of a contract with us is not dependent on you providing us with personal data beforehand and there are no corresponding legal or contractual obligations.
However, we may then only be able to provide or make available offers to a limited extent or not at all. Should this be the case, we will inform you of this.
(10) Legal obligation to transmit certain data
Due to legal or other obligations (e.g. by court order), we may be forced to provide the lawfully processed personal data to third parties, in particular public bodies. The legal basis for this is Art. 6 para. 1 sent. 1 lit. c GDPR.
(11) Your rights
As a data subject, they have, among other things, the right under:
– Art. 15 GDPR: to obtain confirmation from the controller as to whether personal data concerning them are being processed; if this is the case, as a data subject you have a right of access to these personal data and to information on the purpose of the processing, the categories of personal data being processed;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or the restriction of processing by the controller, or a right to object to such processing;
the existence of a right of appeal to a supervisory authority; if the personal data are not collected from the data subject, any available information on the origin of the data;
the existence of automated decision-making, including profiling, pursuant to Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
If personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
– Art. 16 GDPR: to obtain from the controller the rectification without delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
– Art. 17 GDPR: to require the controller to erase personal data concerning them without undue delay. The controller is obliged to erase personal data without undue delay if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, or if the data subject revokes his or her consent on which the processing was based pursuant to Art. 6 para. 1 sent. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing; or
the data subject objects to the processing pursuant to Article 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing; or
the data subject objects to the processing pursuant to Art. 21 para. 2 GDPR; or the personal data have been processed unlawfully; or
erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject; or
the personal data have been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.
Where the controller has made the personal data public and is obliged to erase it pursuant to the preceding paragraph, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to, or copies or replications of, that personal data.
This does not apply to the extent that the processing is necessary for the exercise of the right to freedom of expression and information;
for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject; or
for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i GDPR and Art. 9 para. 3 GDPR; or
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 para. 1 GDPR, where the said right is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or for the establishment, exercise or defence of legal claims.
– Art. 18 GDPR: to require the controller to restrict processing if the accuracy of the personal data of the data subject is contested for a period enabling the controller to verify the accuracy of the personal data; or
the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data; or
the controller no longer needs the personal data for the purposes of processing, but the data subject needs it for the establishment, exercise or defence of legal claims; or
the data subject has objected to the processing pursuant to Art. 21 para. 1 GDPR, as long as it has not yet been determined whether the legitimate grounds of the controller outweigh those of the data subject.
If processing has been restricted thereafter, such personal data may – apart from being stored – only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
The data subject who has obtained a restriction of processing hereunder shall be informed by the controller before the restriction is lifted.
– Art. 20 GDPR: to receive the personal data concerning him or her that he or she has provided to a controller in a structured, commonly used and machine-readable format, and he or she has the right to transmit this data to another controller without hindrance by the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried out with the help of automated procedures.
When exercising their right to data portability, the data subject has the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible.
The exercise of this right is without prejudice to Art. 17 GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The exercise of the right by the data subject shall not affect the rights and freedoms of other persons.
– Art. 21 GDPR: object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
The data subject shall be expressly informed of the said right at the latest at the time of the first communication with it; this information shall be provided in a comprehensible form separate from other information.
In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by means of automated procedures using technical specifications.
The data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 para. 1 GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
– Art. 7 para. 3 GDPR: to revoke their consent at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The data subject shall be informed of this before giving consent. The withdrawal of consent must be as simple as giving consent.
– Art. 77 GDPR: to complain to a data protection supervisory authority about the processing of your personal data in our company.
The data protection supervisory authority responsible for us is:
Landesdatenschutzbeauftragter in Bayern
Wagmüllerstraße 18, D-80538 München
Federal Republic of Germany
Phone: +49 89 2126720
E-mail: [email protected].
You can exercise your rights as a data subject at any time by contacting us using the contact details provided under A.(2).
(12) Changes to the data protection notice
Our privacy notice is subject to periodic adaptation and amendment in light of changes in law, technology and organisation.
B. Visit websites
(1) Explanation of the function
When visiting our website, you will receive information about our company and the services and products we offer. Their personal data may be processed in the process.
(2) Personal data processed
If you visit our website for information purposes, the following categories of personal data are collected, stored and processed by us:
“log data“: When you visit our website, a log data record is stored temporarily and anonymously on our web server (server log files). This consists of:
– the referrer URL, i.e. the website from which our website was accessed;
– the name and URL of the requested website;
– Date and time of the call, including GMT time zone difference;
– Description of the type, language settings and version of the web browser used, their operating system and the amount of data transferred;
– the IP address of the requesting computer, which is shortened so that a reference to them can no longer be established;
– a message whether the call was successful (so-called http status code).
“contact form data“: If we provide a contact form, the transmitted data is processed. This includes, for example, your first name, last name, e-mail address, request and time of transmission.
“newsletter data“: If we offer a newsletter subscription with which we provide information about current developments in our company, the market or other topics, you must register separately for this. The following data is collected, stored and processed within the scope of a newsletter subscription:
– the referrer URL, i.e. the website from which our website was accessed;
– the name and URL of the requested website;
– Date and time of the call, including GMT time zone difference;
– Description of the type, language settings and version of the web browser used, their operating system and the amount of data transferred;
– the IP address of the requesting computer, which is shortened so that a reference to them can no longer be established;
– a message whether the call was successful (so-called http status code);
– the e-mail address;
– Date and time of registration and confirmation;
We do not evaluate your user behaviour within the scope of the newsletter.
(3) Purpose and legal basis of data processing
We process the aforementioned personal data in accordance with the GDPR and other legal provisions only to the extent necessary.
Insofar as this processing is based on Art. 6 para. 1 sent. 1 lit. f GDPR, the purposes stated below also represent our legitimate interest.
The processing of log data (server log files) serves statistical purposes and to improve the quality of our websites, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 sent. 1 lit. a or lit. f GDPR).
The processing of contact form data pursues the purpose of handling customer enquiries (legal basis is Art. 6 para. 1 sent. 1 lit. b or lit. f GDPR).
Newsletter data is processed for the purpose of sending one or more newsletters. You consent to the processing of your personal data when registering for the newsletter (legal basis is Art. 6 para. 1 sent. 1 lit. a GDPR).
You must register for the newsletter using the so-called double opt-in procedure. After registration, we will send you an e-mail to the e-mail address you provided, asking you to confirm that you wish to receive the newsletter from us in the future.
The purpose of this procedure is to provide proof of your registration in order to prevent possible misuse.
You can revoke your consent to receive the newsletter at any time and unsubscribe.
To revoke, click on the unsubscribe link provided in each newsletter, send an e-mail to [email protected] or another message to the contact details provided in the imprint.
In the event that the processing of the data makes it necessary to store information in your terminal equipment or to access information already stored in your terminal equipment, the legal basis for this is Section 25 para. 1 , 2 TDDDG.
(4) Duration of data processing
Your data will only be processed for the period of time necessary to achieve the above-mentioned processing purposes. The legal bases mentioned there apply accordingly.
Due to the use and storage of cookies, in particular their storage duration, we refer to the Cookie Policy.
Insofar as third parties are used in connection with the provision of deliveries and services, their data will only be stored on the systems of the third parties for as long as this is legally permissible or necessary for the respective order.
(5) Transfer of personal data to third parties; justification
The following categories of recipients may have access to your personal data:
– Third parties who are responsible for the operation of our website, process the transmitted and stored data or generally serve the implementation and maintenance of our business operations; these are usually the providers of services in the data processing centre, for invoicing, processing of payments, mediation of communication services, banks, insurance companies, legal advisors, business advisors, tax advisors, supervisory authorities, IT security service providers, parties involved in company acquisitions, restructuring or financing; unless these are commissioned data processors, the legal basis for the disclosure is Art. 6 para. 1 sent. 1 lit. b. or lit. f GDPR;
– Government bodies, in particular courts and authorities, if this is necessary to fulfil a legal or official obligation; the legal basis for the transfer is Art. 6 para. 1 sent. 1 lit. c GDPR;
We shall ensure an appropriate level of data protection when transferring data to third countries, but shall otherwise exclude any transfer of your personal data to third parties unless you have given us your express consent to do so in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR.
(6) Use of cookies, plugins and other services on our website
We use so-called cookies on our websites. Cookies are small text files that the browser you use stores on your physical storage medium (hard drive, etc.). They contain the sequence of a certain character string that enables the setting agency to obtain certain information. The text files themselves are not capable of executing any software or causing any damage to your computer. In particular, no viruses or malware are transmitted to your computer in this way. Cookies rather serve the purpose of making the internet offer user-friendly.
Cookies can therefore contain data with which the device used can be recognised. However, the individual user cannot be directly identified.
However, cookies can also be designed in such a way that only settings are stored in them.
Cookies can be stored for the duration of a specific session (session cookies) or beyond the session (permanent cookies). Session cookies are deleted as soon as you close your browser, while permanent cookies are only deleted after the duration of the cookie has expired.
Functionally, a distinction is made between technical cookies, performance cookies, advertising cookies, targeting cookies and sharing cookies.
Technical cookies are mandatory so that you can use the basic functions of our websites and security is guaranteed. These do not collect or store any information about you for marketing purposes; in particular, they do not record which web pages you have visited in detail.
Performance cookies, on the other hand, collect information about the use of our websites. The individual pages you have visited are recorded and stored. However, information that could be used to identify you is not collected and stored, as all information collected is anonymised. This serves the purpose of improving our offer, because it enables us to find out what interests our visitors.
Separate from this are so-called advertising and targeting cookies, which are intended to display advertising tailored to the needs of the user of a website or to offer third-party services. Since these cookies are stored for a maximum of 13 months, the effectiveness of the advertising can consequently be measured.
To improve the interactivity of our websites with other services, so-called sharing cookies may be used, the storage period of which is also a maximum of 13 months.
The legal basis for cookies that are absolutely necessary for the use of our services or websites (technical cookies) is section 25 para. 2 no. 2 TDDDG.
Any further use of cookies (performance cookies, advertising cookies, targeting cookies and sharing cookies) is only permitted and therefore possible with your express and active consent in accordance with section 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 sent. 1 lit. a GDPR or, in the case of transfer to third parties, after express consent in accordance with Art. 6 para. 1 sent. 1 lit. a GDPR.
You can find out which cookies we use, how to adjust your cookie settings and how to deactivate certain tracking settings in our cookie policy.
We do not use social media plugins on our websites. If our websites contain icons from social media providers (e.g. Threema.Work, WhatsApp), we only use these to passively link to the pages of the respective providers or directly to their apps on the mobile phone. Data sent to us from there is subject to the data protection provisions of the respective providers.